scancode-toolkit icon indicating copy to clipboard operation
scancode-toolkit copied to clipboard
verified publisher icon nexB

Scan licenses of dependencies

Open shengy90 opened this issue 1 year ago • 1 comments

Short Description

Detect licenses of dependencies too.

Possible Labels

dependencies improve-license-detection

  • new feature

Select Category

  • [x ] Enhancement
  • [ ] Add License/Copyright
  • [ ] Scan Feature
  • [ ] Packaging
  • [ ] Documentation
  • [ ] Expand Support
  • [ ] Other

Describe the Update

ScanCode right now looks like it's only scanning for explicit copyright text or license texts in the existing code base. I would like to also be able to pick up licenses of dependencies, and set up flags and where the flagged dependencies have been used in the code base.

For example (this repo for inspiration: https://github.com/raimon49/pip-licenses):

  • Set flag to detect GPL licenses
  • Pick up all dependencies in my project that uses GPL licenses
  • Then spot in my code base where this package was used so I can determine what to do with them etc.

How This Feature will help you/your organization

Identify GPL packages used and where in the code based it was used, so we can detect how we want to handle them, to avoid issues with GPLs.

Possible Solution/Implementation Details

Example/Links if Any

Can you help with this Feature

shengy90 avatar Jun 25 '24 15:06 shengy90

Just a bit of updates there:

  1. we detect direct dependencies in manifests and lockfiles now in ScanCode toolkit
  2. deplock in https://github.com/nexB/dependency-inspector/ can generate missing dependency lockfiles for parsing with 1.
  3. PurlDB can scan and store scan results for source and binaries for the packages
  4. ScanCode.io can detect the dependencies like ScanCode toolkit parsing the lockfile eventually generated by deplock
  5. We can also match other non-documented dependencies using matchcode (backed by PurlDB signatures)
  6. ScanCode.io can also find "hidden" dependencies in binaries using the "map deploy to devel" pipeline.

A simple process to scan all the dependencies:

  1. run deplock
  2. then scan your project in ScanCode.io to detect the packages
  3. add also the populate purldb pipeline: this will trigger a full source and binary scan of all the dependencies
  4. enrich the scan results with a purldb lookup

pombredanne avatar Aug 14 '24 09:08 pombredanne